Tuesday, September 22, 2015

Two-Factor Authentication: It’s not your mamma’s internet anymore.

The other day a friend of mine decided that it should be International Password Awareness Day.

“I am declaring today as International Password Awareness Day. After being in InfoSec for almost 20 years I have found that the single worst problem we have created is poor password hygiene. Not only do we make terrible passwords, we allow others to make even worse ones without holding them accountable. So let's all take a moment today to fix that. Change your password , ask your family, friends and coworkers to change theirs.” - Chris Nickerson

This is an amazing idea!! It should be the start of a movement for better passwords everywhere! Sometimes however, I get ahead of myself and have to take a moment to step back. I then realize that for the most part password strength still won’t matter. Don’t get me wrong, with the passwords that we’ve seen in recent breaches or professional engagements, 99% of you need to go change your passwords right now (to a good one).

Even as much as I am into information security, I still have some bad habits when it comes to my personal passwords. I keep most of them in an encrypted password safe program, I don’t use dictionary words, keep them complex, don’t reuse them, and keep them over 12 characters. One of the practices that I don’t keep up with (as much as I should) is changing my passwords at a regular interval. Honestly it’s a huge pain. Sure if there is a big breach I’ll go and change my important account passwords. What ends up putting my mind somewhat at ease for a majority of my accounts is using services that allow you to take advantage of Two-Factor Authentication as a method to strengthen the login process.

Two-Factor Authentication (2FA) is a method of identifying individuals by using two separate methods. While the number of services and websites that provide 2FA is increasing, we rarely think about it in our own enterprise environments. There are a surprising amount of companies and services that decided to implement 2FA after a large scale or high visibility breach. Shown below is the widely known AP Twitter hack that brought the stock market down in April of 2013.

Amazingly Twitter started offering 2FA in August of that same year, less than four months later. While you can argue that this specific hack may still have been possible as it was proven to be a phishing attack, it’s also likely that 2FA could have prevented it as well.

Why Two-Factor Auth?

2FA is not a new concept. It was patented in 1984 by Kenneth P. Weiss and has been slowly gainging popularity throughout the years. One of the first widley adopted methods of 2FA were the card and PIN at ATMs. Now that the need to protect so many digital assets has grown we are struggling to implement it in environments and sofware that may or may not be backwards compatible. As mentioned before however, passwords now are not enough when it comes to the shear amount and sensitive nature of the data we have now in cyberspace.

2FA Methods

The different methods of authentication are broken up into three categories

  1. Something you are.
    • Biometric (fingerprint)
    • Voice
  2. Something you have.
    • Physical token
    • Soft token
    • Card with magnetic strip
    • RFID Card
    • Phone (sms/app/phone call)
  3. Something you know.
    • Password
    • Passphrase
    • Pattern
    • Pin

Of course there are many ways that 2FA can fail to be the security blanket that we need, especially when it is implemented poorly. On top of doing your best to increase the complexity of your passwords it needs to be part of your defense in depth strategy and not just a bandaid for a compliance checkmark.


I’ll give you an example situation that I know for a fact has happened to several pentesters.

Company A decides that they want to implement 2FA by using the push notification or phone call method. A criminal or pentester comes along to break in by either phishing, using passwords from a recent breach, or a password brute forcing technique. Somehow they end up with a legitimate username/password combo, but they should be stopped from authenticating because of the 2FA right? Well in this case, the user gets the phone call or application alert that they have gotten so many times in the past. This notification doesn’t tell the user what they are supposedly logging into, so as a force of habit they acknowledge the alert or answer the phone call and press the # key. Boom the bad guy or pentester is in.

So the principle idea behind “Something you have” can take on different forms. In this situation it’s technically 2FA and allows Company A to be compliant but they are still not leveraging the security potential of the software. If they were to have that second form of authentication include a code as opposed to a single click or button, they would have been both secure AND compliant.

There are many other threats that I won’t get into right now. The bottom line is that passwords alone are weak, and adding 2FA strengthens that authentication method to be a deal more secure. In the words of Bruce Schneier:
“Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.”
Two-Factor Authentication is just another piece of the security puzzle. It’s not our savior for sure, but it is an essential part of defense in depth.